Back to Home

Subprocessors

Last updated: January 28, 2026

Note: We're an early-stage company and will keep this document updated as our policies mature.

1. Introduction

True Record engages certain third-party service providers ("Sub-processors") to assist in delivering our services. This page lists all Sub-processors who may process customer data, including their purpose, data types processed, and data regions.

This list is maintained in accordance with our Data Processing Agreement and GDPR requirements.

2. Notification of Changes

We will notify customers of changes to our Sub-processor list by:

  • Updating this page with the effective date
  • Email notification for material changes (addition/removal of Sub-processors)
  • 30-day advance notice for new Sub-processors

Customers may object to a new Sub-processor within 30 days of notification. See our Data Processing Agreement for details.

3. Current Sub-processors

SalesforceDPA

Core service integration - OAuth authentication, data sync, duplicate detection

Data Types Processed:

  • Org identifiers
  • Salesforce tokens (encrypted)
  • Record snapshots for matching
  • User email addresses

Data Region:

Customer-specific (based on Salesforce instance region)

Privacy Policy:

View Privacy Policy

Additional Information:

Data residency follows customer Salesforce instance location. We only store encrypted OAuth tokens and minimal record snapshots needed for duplicate detection.

OpenAIDPA

Embedding generation for AI duplicate detection

Data Types Processed:

  • Text derived from selected record field values used for embedding generation (configurable; defaults per object)
  • Embedding vectors (results cached in our database)
  • Token usage totals for billing

Data Region:

US

Privacy Policy:

View Privacy Policy

Additional Information:

We send only the text used to generate embeddings (based on your configured AI/both fields, or our per-object defaults). OpenAI states that API data is not used to train models by default. Embeddings are cached until the record changes or the org is removed.

AnthropicDPA

AI-powered match explanations

Data Types Processed:

  • Field comparison summaries for matched record pairs
  • Match confidence scores and field similarity data
  • Token usage totals for billing

Data Region:

US

Privacy Policy:

View Privacy Policy

Additional Information:

Used for generating natural language explanations of why records matched. Only field comparison summaries are sent (e.g., "Name: John Smith vs Jon Smith"), not complete record data. Anthropic states that API data is not used to train models.

Neon (PostgreSQL)DPA

Primary database storage

Data Types Processed:

  • All application data
  • Encrypted Salesforce tokens
  • Audit logs
  • Match results
  • User account information
  • Organization settings

Data Region:

US East (AWS us-east-1)

Privacy Policy:

View Privacy Policy

Additional Information:

Serverless PostgreSQL database. All data is encrypted at rest and in transit.

VercelDPA

Application hosting and edge functions

Data Types Processed:

  • Request logs (minimal)
  • Analytics data (anonymized)
  • Function execution logs

Data Region:

Global edge network (US primary)

Privacy Policy:

View Privacy Policy

Additional Information:

Hosting provider for the application. No user data is stored by Vercel, only application code and request metadata.

StripeDPA

Payment processing and subscription management

Data Types Processed:

  • Billing email
  • Payment information
  • Subscription status
  • Customer ID

Data Region:

US (with global replication)

Privacy Policy:

View Privacy Policy

Additional Information:

Payment card data never touches our servers - handled entirely by Stripe.js. We only store Stripe customer and subscription IDs.

ResendDPA

Transactional email delivery

Data Types Processed:

  • Email addresses
  • Invitation tokens (temporary)
  • Email content (not stored after delivery)

Data Region:

US

Privacy Policy:

View Privacy Policy

Additional Information:

Email service provider. Email content is not stored after successful delivery. Only used for transactional emails (invitations, notifications).

TwilioDPA

Phone number verification (optional add-on)

Data Types Processed:

  • Phone numbers from Salesforce records
  • Carrier and line type information (returned)
  • Validation status

Data Region:

US

Privacy Policy:

View Privacy Policy

Additional Information:

Optional Phone Verification add-on. Only phone numbers are sent; no PII beyond the number itself. Used to detect disconnected or invalid phone numbers via Twilio Lookup API.

ZeroBounceDPA

Email deliverability verification (optional add-on)

Data Types Processed:

  • Email addresses from Salesforce records
  • Validation status and deliverability score (returned)
  • Disposable/catch-all detection results

Data Region:

US

Privacy Policy:

View Privacy Policy

Additional Information:

Optional Email Verification add-on. Only email addresses are sent for validation. Used to detect invalid, disposable, or undeliverable email addresses.

Google (Maps Platform)DPA

Address validation and geocoding (optional add-on)

Data Types Processed:

  • Address components from Salesforce records (street, city, state, postal code, country)
  • Standardized address and geocode coordinates (returned)
  • Deliverability confidence score

Data Region:

Global (US primary)

Privacy Policy:

View Privacy Policy

Additional Information:

Optional Address Geocoding add-on. Address components are sent for validation and geocoding. Used to standardize addresses and verify deliverability via Google Address Validation API.

Apollo.ioDPA

Data enrichment for Accounts, Leads, and Contacts (optional add-on)

Data Types Processed:

  • Domain/website URLs (for Account enrichment)
  • Email addresses (for Lead/Contact enrichment)
  • Company and person data (returned): industry, employee count, revenue, LinkedIn URLs, phone numbers, addresses

Data Region:

US

Privacy Policy:

View Privacy Policy

Additional Information:

Optional Data Enrichment add-on. Only the lookup key (domain or email) is sent. Apollo returns enriched company and contact data from their database of 275M+ contacts and 73M+ companies. Enrichment results are cached to minimize API calls.

4. Data Processing Standards

All Sub-processors are required to:

  • Sign data processing agreements with data protection obligations equivalent to our DPA
  • Implement appropriate technical and organizational security measures
  • Comply with applicable data protection laws (GDPR, CCPA, etc.)
  • Only process data as instructed by True Record
  • Notify us of any data breaches without undue delay
  • Maintain compliance certifications where applicable (SOC 2, ISO 27001, etc.)

5. Data Transfers and Safeguards

5.1 International Transfers

Some Sub-processors are located in or may transfer data to the United States. We ensure adequate protection through:

  • Standard Contractual Clauses (SCCs) approved by the European Commission
  • Sub-processor data processing agreements with equivalent protections
  • Supplementary measures where appropriate to ensure GDPR compliance

5.2 Salesforce Data Residency

For Salesforce integration, data residency follows your Salesforce instance region. True Record only stores minimal record snapshots in our primary database (US East) for duplicate detection.

6. Export and Download

You can download this Sub-processor list for your records. This list is updated regularly and the "Last Updated" date is shown at the top of this page.

7. Questions and Objections

If you have questions about our Sub-processors or wish to object to a new Sub-processor, please contact:

We will respond to inquiries within 5 business days and objections within 15 business days.

Summary

Total Sub-processors:

11

With DPA Coverage:

11

Last Updated:

January 28, 2026

Related Documents

Privacy PolicyData Processing AgreementSecurity & FAQ